Package software.amazon.awscdk.services.ec2

Interface ClientVpnEndpointOptions

All Superinterfaces:
software.amazon.jsii.JsiiSerializable
All Known Subinterfaces:
ClientVpnEndpointProps
All Known Implementing Classes:
ClientVpnEndpointOptions.Jsii$Proxy, ClientVpnEndpointProps.Jsii$Proxy
@Generated(value="jsii-pacmak/1.119.0 (build 1634eac)", date="2025-12-01T16:02:19.363Z") @Stability(Stable) public interface ClientVpnEndpointOptions extends software.amazon.jsii.JsiiSerializable
Options for a client VPN endpoint.

Example: 

 vpc.addClientVpnEndpoint("Endpoint", ClientVpnEndpointOptions.builder()
         .cidr("10.100.0.0/16")
         .serverCertificateArn("arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id")
         // Mutual authentication
         .clientCertificateArn("arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id")
         // User-based authentication
         .userBasedAuthentication(ClientVpnUserBasedAuthentication.federated(samlProvider))
         .build());

  • Method Details

    • getCidr

      @Stability(Stable) @NotNull String getCidr()
      The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

      The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.

      Changing the address range will replace the Client VPN endpoint.

      The CIDR block should be /22 or greater.

    • getServerCertificateArn

      @Stability(Stable) @NotNull String getServerCertificateArn()
      The ARN of the server certificate.

    • getAuthorizeAllUsersToVpcCidr

      @Stability(Stable) @Nullable default Boolean getAuthorizeAllUsersToVpcCidr()
      Whether to authorize all users to the VPC CIDR.

      This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead.

      Default: true

    • getClientCertificateArn

      @Stability(Stable) @Nullable default String getClientCertificateArn()
      The ARN of the client certificate for mutual authentication.

      The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).

      Default: - use user-based authentication

    • getClientConnectionHandler

      @Stability(Stable) @Nullable default IClientVpnConnectionHandler getClientConnectionHandler()
      The AWS Lambda function used for connection authorization.

      The name of the Lambda function must begin with the AWSClientVPN- prefix

      Default: - no connection handler

    • getClientLoginBanner

      @Stability(Stable) @Nullable default String getClientLoginBanner()
      Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.

      UTF-8 encoded characters only. Maximum of 1400 characters.

      Default: - no banner is presented to the client

    • getClientRouteEnforcementOptions

      @Stability(Stable) @Nullable default ClientRouteEnforcementOptions getClientRouteEnforcementOptions()
      Options for Client Route Enforcement.

      Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.

      Default: undefined - AWS Client VPN default setting is disable client route enforcement

      See Also:

    • getDescription

      @Stability(Stable) @Nullable default String getDescription()
      A brief description of the Client VPN endpoint.

      Default: - no description

    • getDisconnectOnSessionTimeout

      @Stability(Stable) @Nullable default Boolean getDisconnectOnSessionTimeout()
      Indicates whether the client VPN session is disconnected after the maximum sessionTimeout is reached.

      If true, users are prompted to reconnect client VPN. If false, client VPN attempts to reconnect automatically.

      Default: undefined - AWS Client VPN default is true

      See Also:

    • getDnsServers

      @Stability(Stable) @Nullable default List<String> getDnsServers()
      Information about the DNS servers to be used for DNS resolution.

      A Client VPN endpoint can have up to two DNS servers.

      Default: - use the DNS address configured on the device

    • getLogging

      @Stability(Stable) @Nullable default Boolean getLogging()
      Whether to enable connections logging.

      Default: true

    • getLogGroup

      @Stability(Stable) @Nullable default ILogGroup getLogGroup()
      A CloudWatch Logs log group for connection logging.

      Default: - a new group is created

    • getLogStream

      @Stability(Stable) @Nullable default ILogStream getLogStream()
      A CloudWatch Logs log stream for connection logging.

      Default: - a new stream is created

    • getPort

      @Stability(Stable) @Nullable default VpnPort getPort()
      The port number to assign to the Client VPN endpoint for TCP and UDP traffic.

      Default: VpnPort.HTTPS

    • getSecurityGroups

      @Stability(Stable) @Nullable default List<ISecurityGroup> getSecurityGroups()
      The security groups to apply to the target network.

      Default: - a new security group is created

    • getSelfServicePortal

      @Stability(Stable) @Nullable default Boolean getSelfServicePortal()
      Specify whether to enable the self-service portal for the Client VPN endpoint.

      Default: true

    • getSessionTimeout

      @Stability(Stable) @Nullable default ClientVpnSessionTimeout getSessionTimeout()
      The maximum VPN session duration time.

      Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS

    • getSplitTunnel

      @Stability(Stable) @Nullable default Boolean getSplitTunnel()
      Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.

      Default: false

      See Also:

    • getTransportProtocol

      @Stability(Stable) @Nullable default TransportProtocol getTransportProtocol()
      The transport protocol to be used by the VPN session.

      Default: TransportProtocol.UDP

    • getUserBasedAuthentication

      @Stability(Stable) @Nullable default ClientVpnUserBasedAuthentication getUserBasedAuthentication()
      The type of user-based authentication to use.

      Default: - use mutual authentication

      See Also:

    • getVpcSubnets

      @Stability(Stable) @Nullable default SubnetSelection getVpcSubnets()
      Subnets to associate to the client VPN endpoint.

      Default: - the VPC default strategy

    • builder

      @Stability(Stable) static ClientVpnEndpointOptions.Builder builder()
      Returns:
      a ClientVpnEndpointOptions.Builder of ClientVpnEndpointOptions